Processes which do not run as part of the user's session, but which still wish to use the credentials which belong to a given user, will need to be modified. Typically, their current practice is to search the /tmp directory for a suitably-named file which belongs to the user in question, and for each one that is found, to check if it contains unexpired credentials. These processes (rpc.gssd and its CIFS counterpart (cifs.upcall?), at least) will need to be configured or patched to search the new location in preference over the old one.

Processes which do not run as part of the user's session, but which still wish to use the credentials which belong to a given user, will need to be modified. Typically, their current practice is to search the /tmp directory for a suitably-named file which belongs to the user in question, and for each one that is found, to check if it contains unexpired credentials. These processes (rpc.gssd and its CIFS counterpart (cifs.upcall?), at least) will need to be configured or patched to search the new location in preference over the old one.

−

To be more specific, processes which currently consider "FILE:/tmp/krb5cc_${UID}*" should change their search to include "FILE:/run/user/${UID}/krb5cc*", preferably to be searched before /tmp. Note that [[Features/KRB5CacheMove]] will also be adding "DIR:/run/user/${UID}/krb5cc*" to this list, preferably either before or at the same time that files in /run/user/${UID} are being considered.

+

To be more specific, processes which currently consider "FILE:/tmp/krb5cc_${UID}*" should change their search to also include "FILE:/run/user/${UID}/krb5cc*", preferably to be searched before /tmp. Note that [[Features/KRB5CacheMove]] will also require adding "DIR:/run/user/${UID}/krb5cc*" to this list, preferably either before or at the same time that files in /run/user/${UID} are being considered.

Because these processes may need to use the user's credentials in order to allow normal login to occur at all, updates to their packages should be considered to be of higher priority than updates to other packages which require changes as part of implementing this feature.

Because these processes may need to use the user's credentials in order to allow normal login to occur at all, updates to their packages should be considered to be of higher priority than updates to other packages which require changes as part of implementing this feature.

KRB5 Credential Cache Move

Summary

This feature changes the default location of a user's Kerberos credential cache from living in /tmp/krb5cc_$UID or /tmp/krb5cc_$UID_XXXXXX to being a similarly-named file in the /run/user/$UID directory.

Owner

Current status

Detailed Description

Packages that create Kerberos credential caches on behalf of a user (real or system) will need to change where this cache is stored.

The components which obtain credentials and set up a credential cache for a user at login-time currently set $KRB5CCNAME to point to the user's credential cache, and as they change where they place the credential caches, this value will continue to be set to reflect the correct location. As a result, processes which run as part of the user's session should be expected to handle this transition automatically and without any specific modifications.

Processes which do not run as part of the user's session, but which still wish to use the credentials which belong to a given user, will need to be modified. Typically, their current practice is to search the /tmp directory for a suitably-named file which belongs to the user in question, and for each one that is found, to check if it contains unexpired credentials. These processes (rpc.gssd and its CIFS counterpart (cifs.upcall?), at least) will need to be configured or patched to search the new location in preference over the old one.

To be more specific, processes which currently consider "FILE:/tmp/krb5cc_${UID}*" should change their search to also include "FILE:/run/user/${UID}/krb5cc*", preferably to be searched before /tmp. Note that Features/KRB5CacheMove will also require adding "DIR:/run/user/${UID}/krb5cc*" to this list, preferably either before or at the same time that files in /run/user/${UID} are being considered.

Because these processes may need to use the user's credentials in order to allow normal login to occur at all, updates to their packages should be considered to be of higher priority than updates to other packages which require changes as part of implementing this feature.

Benefit to Fedora

The reason is to make credential saving a bit more predictable while at
the same time avoiding races. Along the road we also gain a little bit
more security by the fact that /run is a tmpfs and therefore cached
credentials are automatically removed if the machine is shut off.

Scope

For daemons that use a keytab to kinit because they act as clients (as
opposed to just server that accept kerberos connections), it may be
needed to add a configuration snippet in their configuration file
under /etc/tmpfiles.d so that /run/user/$UID is created with the
correct permissions (700) and user ownership.

For example, httpd would add the following line to
the /etc/tmpfiles.d/httpd.conf:

d /var/run/user/48 700 apache apache

If you know your daemon requires a credential cache file and does not
specify one on its own but instead relies on the default location, then
you should open a ticket in bugzilla and add the necessary configuration
to tmpfiles.d

How To Test

1. Verify that when logging in through SSSD or pam_krb5 that the credential cache listed by 'klist' is either FILE:/run/user/$UID/krb5cc or has a name based on the pattern FILE:/run/user/$UID/krb5cc_XXXXXX.

User Experience

The end-user experience should be minimally changed. The most noticable effect will be that credential caches will not survive a reboot (this is a security enhancement, preventing a stolen system from being accessed for still-valid credentials).

Dependencies

This list is not (yet) complete:

sssd

pam_krb5

mod_auth_kerb

sshd

nfs-utils

cifs-utils

kstart

krb5-appl

Daemons that use a keytab to kinit because they act as clients (as
opposed to just server that accept kerberos-authenticated connections), it may be
necessary to add a configuration file
under /etc/tmpfiles.d so that /run/user/$UID is created with the
correct permissions (700) and user ownership.

For example, httpd would add the following line to
the /etc/tmpfiles.d/httpd.conf:

d /var/run/user/48 700 apache apache

Some other daemons (such as rpc.gssd and sshd) have hard-coded /tmp locations and will require patching to complete this transition.

We are still investigating which packages require changes.

Contingency Plan

Reverting to the original behavior will be possible, though non-trivial. Our current plan is to land this feature very early in the F18 process (some pieces are already landing today on 2012-02-23) so that we have the maximum amount of time to work out any issues.

Documentation

No relevant documentation

Release Notes

Fedora 18 changes the standard location of Kerberos credential caches to /run/user/$UID in order to increase security and simplify locating the caches for NFSv4.